Back to Blog

Ransomware-as-a-Service: The Business Model Behind Modern Ransomware

LeakedSource Team
|

From Lone Hackers to Criminal Enterprises

A decade ago, ransomware was typically created and deployed by the same person or small group. Today, the ransomware ecosystem operates like a franchise business. Developers build and maintain the malware, then lease it to affiliates who carry out the actual attacks. This division of labor has dramatically increased the scale and sophistication of ransomware operations worldwide.

This model is known as Ransomware-as-a-Service, or RaaS, and it has transformed cybercrime into a professionalized industry with staggering financial returns.

How the RaaS Model Works

The structure mirrors legitimate software-as-a-service businesses:

  • Developers create and maintain the ransomware payload, encryption routines, command-and-control infrastructure, and payment portals
  • Affiliates purchase or lease access to the ransomware toolkit. They handle initial access, reconnaissance, lateral movement, and deployment within victim networks
  • Revenue splits typically give affiliates 60 to 80 percent of ransom payments, with the remainder going to the developers
  • Support teams provide technical assistance, negotiate with victims, and manage cryptocurrency payment processing

Some RaaS operations even maintain help desks to walk victims through the process of purchasing cryptocurrency and making payments.

The Major Players

Several RaaS operations have achieved notoriety for their scale and impact:

  • LockBit dominated the ransomware landscape for years with a highly automated platform and aggressive affiliate recruitment before law enforcement disruption in early 2024
  • BlackCat (ALPHV) introduced a Rust-based payload that evaded many endpoint detection tools and operated a public data leak site
  • Cl0p specialized in mass exploitation of zero-day vulnerabilities in file transfer appliances, hitting hundreds of organizations simultaneously
  • RansomHub emerged as a successor operation absorbing affiliates from disrupted groups

When law enforcement takes down one group, affiliates simply migrate to the next platform. The decentralized nature of the model makes permanent disruption extremely difficult.

The Attack Chain

A typical RaaS-powered attack follows a well-established playbook:

  1. Initial access through phishing emails, exploiting unpatched vulnerabilities, or purchasing stolen credentials from access brokers
  2. Persistence and privilege escalation using legitimate system administration tools to avoid detection
  3. Reconnaissance mapping the network, identifying critical systems, and locating backups
  4. Data exfiltration stealing sensitive files before encryption to enable double extortion
  5. Encryption deployment across as many systems as possible, often timed for nights or weekends when security teams are minimal
  6. Ransom demand with threats to publish stolen data if payment is not made

Double and Triple Extortion

Modern ransomware groups rarely rely on encryption alone. Double extortion adds the threat of publishing stolen data on leak sites. Triple extortion may include DDoS attacks against the victim or directly contacting the victim's customers, patients, or partners to apply additional pressure.

This evolution means that even organizations with robust backup strategies face significant risk. Restoring from backups solves the encryption problem but does nothing to address stolen data being published online.

The Economics

The numbers reveal why this model thrives:

  • Average ransom payments have climbed into the hundreds of thousands to millions of dollars
  • RaaS subscriptions can cost as little as a few hundred dollars per month for entry-level toolkits
  • Access brokers sell initial footholds into corporate networks for $500 to $10,000
  • Cyber insurance has inadvertently subsidized the ecosystem by making victims more willing and able to pay

The return on investment for attackers is enormous, which continuously attracts new participants.

Defending Against RaaS Attacks

Organizations should focus on the fundamentals that disrupt the attack chain:

  • Patch management: The majority of initial access still comes from known vulnerabilities with available patches
  • Email security: Advanced phishing filters and employee training reduce the most common entry point
  • Credential hygiene: Monitor for breached credentials and enforce strong, unique passwords with multi-factor authentication
  • Network segmentation: Limit lateral movement so that compromising one system does not grant access to the entire network
  • Offline backups: Maintain air-gapped backup copies that ransomware cannot reach
  • Endpoint detection and response: Modern EDR solutions can identify ransomware behavior patterns before encryption completes

The Personal Impact

RaaS attacks increasingly hit healthcare providers, schools, and local governments, meaning the data of ordinary people ends up exfiltrated and published. When a hospital or insurer is breached, your medical records, Social Security numbers, and financial details may appear on dark web leak sites.

Check LeakedSource to monitor whether your personal data has surfaced from ransomware-driven breaches and take action before criminals exploit it further.

Check Your Breach Exposure

Find out if your email address has been compromised in any known data breaches.

Scan Your Email Now
All Posts